AddressSanitizer.cpp revision 8375bc923638299410e75e8f668524fc1aa113bd
1//===-- AddressSanitizer.cpp - memory error detector ------------*- C++ -*-===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// Details of the algorithm: 12// http://code.google.com/p/address-sanitizer/wiki/AddressSanitizerAlgorithm 13// 14//===----------------------------------------------------------------------===// 15 16#define DEBUG_TYPE "asan" 17 18#include "llvm/ADT/ArrayRef.h" 19#include "llvm/ADT/OwningPtr.h" 20#include "llvm/ADT/SmallSet.h" 21#include "llvm/ADT/SmallString.h" 22#include "llvm/ADT/SmallVector.h" 23#include "llvm/ADT/StringExtras.h" 24#include "llvm/Function.h" 25#include "llvm/IntrinsicInst.h" 26#include "llvm/LLVMContext.h" 27#include "llvm/Module.h" 28#include "llvm/Support/CommandLine.h" 29#include "llvm/Support/DataTypes.h" 30#include "llvm/Support/Debug.h" 31#include "llvm/Support/IRBuilder.h" 32#include "llvm/Support/MemoryBuffer.h" 33#include "llvm/Support/Regex.h" 34#include "llvm/Support/raw_ostream.h" 35#include "llvm/Support/system_error.h" 36#include "llvm/Target/TargetData.h" 37#include "llvm/Target/TargetMachine.h" 38#include "llvm/Transforms/Instrumentation.h" 39#include "llvm/Transforms/Utils/BasicBlockUtils.h" 40#include "llvm/Transforms/Utils/ModuleUtils.h" 41#include "llvm/Type.h" 42 43#include <string> 44#include <algorithm> 45 46using namespace llvm; 47 48static const uint64_t kDefaultShadowScale = 3; 49static const uint64_t kDefaultShadowOffset32 = 1ULL << 29; 50static const uint64_t kDefaultShadowOffset64 = 1ULL << 44; 51 52static const size_t kMaxStackMallocSize = 1 << 16; // 64K 53static const uintptr_t kCurrentStackFrameMagic = 0x41B58AB3; 54static const uintptr_t kRetiredStackFrameMagic = 0x45E0360E; 55 56static const char *kAsanModuleCtorName = "asan.module_ctor"; 57static const char *kAsanModuleDtorName = "asan.module_dtor"; 58static const int kAsanCtorAndCtorPriority = 1; 59static const char *kAsanReportErrorTemplate = "__asan_report_"; 60static const char *kAsanRegisterGlobalsName = "__asan_register_globals"; 61static const char *kAsanUnregisterGlobalsName = "__asan_unregister_globals"; 62static const char *kAsanInitName = "__asan_init"; 63static const char *kAsanMappingOffsetName = "__asan_mapping_offset"; 64static const char *kAsanMappingScaleName = "__asan_mapping_scale"; 65static const char *kAsanStackMallocName = "__asan_stack_malloc"; 66static const char *kAsanStackFreeName = "__asan_stack_free"; 67 68static const int kAsanStackLeftRedzoneMagic = 0xf1; 69static const int kAsanStackMidRedzoneMagic = 0xf2; 70static const int kAsanStackRightRedzoneMagic = 0xf3; 71static const int kAsanStackPartialRedzoneMagic = 0xf4; 72 73// Command-line flags. 74 75// This flag may need to be replaced with -f[no-]asan-reads. 76static cl::opt<bool> ClInstrumentReads("asan-instrument-reads", 77 cl::desc("instrument read instructions"), cl::Hidden, cl::init(true)); 78static cl::opt<bool> ClInstrumentWrites("asan-instrument-writes", 79 cl::desc("instrument write instructions"), cl::Hidden, cl::init(true)); 80// This flag may need to be replaced with -f[no]asan-stack. 81static cl::opt<bool> ClStack("asan-stack", 82 cl::desc("Handle stack memory"), cl::Hidden, cl::init(true)); 83// This flag may need to be replaced with -f[no]asan-use-after-return. 84static cl::opt<bool> ClUseAfterReturn("asan-use-after-return", 85 cl::desc("Check return-after-free"), cl::Hidden, cl::init(false)); 86// This flag may need to be replaced with -f[no]asan-globals. 87static cl::opt<bool> ClGlobals("asan-globals", 88 cl::desc("Handle global objects"), cl::Hidden, cl::init(true)); 89static cl::opt<bool> ClMemIntrin("asan-memintrin", 90 cl::desc("Handle memset/memcpy/memmove"), cl::Hidden, cl::init(true)); 91// This flag may need to be replaced with -fasan-blacklist. 92static cl::opt<std::string> ClBlackListFile("asan-blacklist", 93 cl::desc("File containing the list of functions to ignore " 94 "during instrumentation"), cl::Hidden); 95 96// These flags allow to change the shadow mapping. 97// The shadow mapping looks like 98// Shadow = (Mem >> scale) + (1 << offset_log) 99static cl::opt<int> ClMappingScale("asan-mapping-scale", 100 cl::desc("scale of asan shadow mapping"), cl::Hidden, cl::init(0)); 101static cl::opt<int> ClMappingOffsetLog("asan-mapping-offset-log", 102 cl::desc("offset of asan shadow mapping"), cl::Hidden, cl::init(-1)); 103 104// Optimization flags. Not user visible, used mostly for testing 105// and benchmarking the tool. 106static cl::opt<bool> ClOpt("asan-opt", 107 cl::desc("Optimize instrumentation"), cl::Hidden, cl::init(true)); 108static cl::opt<bool> ClOptSameTemp("asan-opt-same-temp", 109 cl::desc("Instrument the same temp just once"), cl::Hidden, 110 cl::init(true)); 111static cl::opt<bool> ClOptGlobals("asan-opt-globals", 112 cl::desc("Don't instrument scalar globals"), cl::Hidden, cl::init(true)); 113 114// Debug flags. 115static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, 116 cl::init(0)); 117static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), 118 cl::Hidden, cl::init(0)); 119static cl::opt<std::string> ClDebugFunc("asan-debug-func", 120 cl::Hidden, cl::desc("Debug func")); 121static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), 122 cl::Hidden, cl::init(-1)); 123static cl::opt<int> ClDebugMax("asan-debug-max", cl::desc("Debug man inst"), 124 cl::Hidden, cl::init(-1)); 125 126namespace { 127 128// Blacklisted functions are not instrumented. 129// The blacklist file contains one or more lines like this: 130// --- 131// fun:FunctionWildCard 132// --- 133// This is similar to the "ignore" feature of ThreadSanitizer. 134// http://code.google.com/p/data-race-test/wiki/ThreadSanitizerIgnores 135class BlackList { 136 public: 137 BlackList(const std::string &Path); 138 bool isIn(const Function &F); 139 private: 140 Regex *Functions; 141}; 142 143/// AddressSanitizer: instrument the code in module to find memory bugs. 144struct AddressSanitizer : public ModulePass { 145 AddressSanitizer(); 146 virtual const char *getPassName() const; 147 void instrumentMop(Instruction *I); 148 void instrumentAddress(Instruction *OrigIns, IRBuilder<> &IRB, 149 Value *Addr, uint32_t TypeSize, bool IsWrite); 150 Instruction *generateCrashCode(IRBuilder<> &IRB, Value *Addr, 151 bool IsWrite, uint32_t TypeSize); 152 bool instrumentMemIntrinsic(MemIntrinsic *MI); 153 void instrumentMemIntrinsicParam(Instruction *OrigIns, Value *Addr, 154 Value *Size, 155 Instruction *InsertBefore, bool IsWrite); 156 Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); 157 bool handleFunction(Module &M, Function &F); 158 bool poisonStackInFunction(Module &M, Function &F); 159 virtual bool runOnModule(Module &M); 160 bool insertGlobalRedzones(Module &M); 161 BranchInst *splitBlockAndInsertIfThen(Instruction *SplitBefore, Value *Cmp); 162 static char ID; // Pass identification, replacement for typeid 163 164 private: 165 166 uint64_t getAllocaSizeInBytes(AllocaInst *AI) { 167 Type *Ty = AI->getAllocatedType(); 168 uint64_t SizeInBytes = TD->getTypeStoreSizeInBits(Ty) / 8; 169 return SizeInBytes; 170 } 171 uint64_t getAlignedSize(uint64_t SizeInBytes) { 172 return ((SizeInBytes + RedzoneSize - 1) 173 / RedzoneSize) * RedzoneSize; 174 } 175 uint64_t getAlignedAllocaSize(AllocaInst *AI) { 176 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 177 return getAlignedSize(SizeInBytes); 178 } 179 180 void PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, IRBuilder<> IRB, 181 Value *ShadowBase, bool DoPoison); 182 bool LooksLikeCodeInBug11395(Instruction *I); 183 184 Module *CurrentModule; 185 LLVMContext *C; 186 TargetData *TD; 187 uint64_t MappingOffset; 188 int MappingScale; 189 size_t RedzoneSize; 190 int LongSize; 191 Type *IntptrTy; 192 Type *IntptrPtrTy; 193 Function *AsanCtorFunction; 194 Function *AsanInitFunction; 195 Instruction *CtorInsertBefore; 196 OwningPtr<BlackList> BL; 197}; 198} // namespace 199 200char AddressSanitizer::ID = 0; 201INITIALIZE_PASS(AddressSanitizer, "asan", 202 "AddressSanitizer: detects use-after-free and out-of-bounds bugs.", 203 false, false) 204AddressSanitizer::AddressSanitizer() : ModulePass(ID) { } 205ModulePass *llvm::createAddressSanitizerPass() { 206 return new AddressSanitizer(); 207} 208 209const char *AddressSanitizer::getPassName() const { 210 return "AddressSanitizer"; 211} 212 213// Create a constant for Str so that we can pass it to the run-time lib. 214static GlobalVariable *createPrivateGlobalForString(Module &M, StringRef Str) { 215 Constant *StrConst = ConstantArray::get(M.getContext(), Str); 216 return new GlobalVariable(M, StrConst->getType(), true, 217 GlobalValue::PrivateLinkage, StrConst, ""); 218} 219 220// Split the basic block and insert an if-then code. 221// Before: 222// Head 223// SplitBefore 224// Tail 225// After: 226// Head 227// if (Cmp) 228// NewBasicBlock 229// SplitBefore 230// Tail 231// 232// Returns the NewBasicBlock's terminator. 233BranchInst *AddressSanitizer::splitBlockAndInsertIfThen( 234 Instruction *SplitBefore, Value *Cmp) { 235 BasicBlock *Head = SplitBefore->getParent(); 236 BasicBlock *Tail = Head->splitBasicBlock(SplitBefore); 237 TerminatorInst *HeadOldTerm = Head->getTerminator(); 238 BasicBlock *NewBasicBlock = 239 BasicBlock::Create(*C, "", Head->getParent()); 240 BranchInst *HeadNewTerm = BranchInst::Create(/*ifTrue*/NewBasicBlock, 241 /*ifFalse*/Tail, 242 Cmp); 243 ReplaceInstWithInst(HeadOldTerm, HeadNewTerm); 244 245 BranchInst *CheckTerm = BranchInst::Create(Tail, NewBasicBlock); 246 return CheckTerm; 247} 248 249Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { 250 // Shadow >> scale 251 Shadow = IRB.CreateLShr(Shadow, MappingScale); 252 if (MappingOffset == 0) 253 return Shadow; 254 // (Shadow >> scale) | offset 255 return IRB.CreateOr(Shadow, ConstantInt::get(IntptrTy, 256 MappingOffset)); 257} 258 259void AddressSanitizer::instrumentMemIntrinsicParam(Instruction *OrigIns, 260 Value *Addr, Value *Size, Instruction *InsertBefore, bool IsWrite) { 261 // Check the first byte. 262 { 263 IRBuilder<> IRB(InsertBefore); 264 instrumentAddress(OrigIns, IRB, Addr, 8, IsWrite); 265 } 266 // Check the last byte. 267 { 268 IRBuilder<> IRB(InsertBefore); 269 Value *SizeMinusOne = IRB.CreateSub( 270 Size, ConstantInt::get(Size->getType(), 1)); 271 SizeMinusOne = IRB.CreateIntCast(SizeMinusOne, IntptrTy, false); 272 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 273 Value *AddrPlusSizeMinisOne = IRB.CreateAdd(AddrLong, SizeMinusOne); 274 instrumentAddress(OrigIns, IRB, AddrPlusSizeMinisOne, 8, IsWrite); 275 } 276} 277 278// Instrument memset/memmove/memcpy 279bool AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI) { 280 Value *Dst = MI->getDest(); 281 MemTransferInst *MemTran = dyn_cast<MemTransferInst>(MI); 282 Value *Src = MemTran ? MemTran->getSource() : NULL; 283 Value *Length = MI->getLength(); 284 285 Constant *ConstLength = dyn_cast<Constant>(Length); 286 Instruction *InsertBefore = MI; 287 if (ConstLength) { 288 if (ConstLength->isNullValue()) return false; 289 } else { 290 // The size is not a constant so it could be zero -- check at run-time. 291 IRBuilder<> IRB(InsertBefore); 292 293 Value *Cmp = IRB.CreateICmpNE(Length, 294 Constant::getNullValue(Length->getType())); 295 InsertBefore = splitBlockAndInsertIfThen(InsertBefore, Cmp); 296 } 297 298 instrumentMemIntrinsicParam(MI, Dst, Length, InsertBefore, true); 299 if (Src) 300 instrumentMemIntrinsicParam(MI, Src, Length, InsertBefore, false); 301 return true; 302} 303 304static Value *getLDSTOperand(Instruction *I) { 305 if (LoadInst *LI = dyn_cast<LoadInst>(I)) { 306 return LI->getPointerOperand(); 307 } 308 return cast<StoreInst>(*I).getPointerOperand(); 309} 310 311void AddressSanitizer::instrumentMop(Instruction *I) { 312 int IsWrite = isa<StoreInst>(*I); 313 Value *Addr = getLDSTOperand(I); 314 if (ClOpt && ClOptGlobals && isa<GlobalVariable>(Addr)) { 315 // We are accessing a global scalar variable. Nothing to catch here. 316 return; 317 } 318 Type *OrigPtrTy = Addr->getType(); 319 Type *OrigTy = cast<PointerType>(OrigPtrTy)->getElementType(); 320 321 assert(OrigTy->isSized()); 322 uint32_t TypeSize = TD->getTypeStoreSizeInBits(OrigTy); 323 324 if (TypeSize != 8 && TypeSize != 16 && 325 TypeSize != 32 && TypeSize != 64 && TypeSize != 128) { 326 // Ignore all unusual sizes. 327 return; 328 } 329 330 IRBuilder<> IRB(I); 331 instrumentAddress(I, IRB, Addr, TypeSize, IsWrite); 332} 333 334Instruction *AddressSanitizer::generateCrashCode( 335 IRBuilder<> &IRB, Value *Addr, bool IsWrite, uint32_t TypeSize) { 336 // IsWrite and TypeSize are encoded in the function name. 337 std::string FunctionName = std::string(kAsanReportErrorTemplate) + 338 (IsWrite ? "store" : "load") + itostr(TypeSize / 8); 339 Value *ReportWarningFunc = CurrentModule->getOrInsertFunction( 340 FunctionName, IRB.getVoidTy(), IntptrTy, NULL); 341 CallInst *Call = IRB.CreateCall(ReportWarningFunc, Addr); 342 Call->setDoesNotReturn(); 343 return Call; 344} 345 346void AddressSanitizer::instrumentAddress(Instruction *OrigIns, 347 IRBuilder<> &IRB, Value *Addr, 348 uint32_t TypeSize, bool IsWrite) { 349 Value *AddrLong = IRB.CreatePointerCast(Addr, IntptrTy); 350 351 Type *ShadowTy = IntegerType::get( 352 *C, std::max(8U, TypeSize >> MappingScale)); 353 Type *ShadowPtrTy = PointerType::get(ShadowTy, 0); 354 Value *ShadowPtr = memToShadow(AddrLong, IRB); 355 Value *CmpVal = Constant::getNullValue(ShadowTy); 356 Value *ShadowValue = IRB.CreateLoad( 357 IRB.CreateIntToPtr(ShadowPtr, ShadowPtrTy)); 358 359 Value *Cmp = IRB.CreateICmpNE(ShadowValue, CmpVal); 360 361 Instruction *CheckTerm = splitBlockAndInsertIfThen( 362 cast<Instruction>(Cmp)->getNextNode(), Cmp); 363 IRBuilder<> IRB2(CheckTerm); 364 365 size_t Granularity = 1 << MappingScale; 366 if (TypeSize < 8 * Granularity) { 367 // Addr & (Granularity - 1) 368 Value *Lower3Bits = IRB2.CreateAnd( 369 AddrLong, ConstantInt::get(IntptrTy, Granularity - 1)); 370 // (Addr & (Granularity - 1)) + size - 1 371 Value *LastAccessedByte = IRB2.CreateAdd( 372 Lower3Bits, ConstantInt::get(IntptrTy, TypeSize / 8 - 1)); 373 // (uint8_t) ((Addr & (Granularity-1)) + size - 1) 374 LastAccessedByte = IRB2.CreateIntCast( 375 LastAccessedByte, IRB.getInt8Ty(), false); 376 // ((uint8_t) ((Addr & (Granularity-1)) + size - 1)) >= ShadowValue 377 Value *Cmp2 = IRB2.CreateICmpSGE(LastAccessedByte, ShadowValue); 378 379 CheckTerm = splitBlockAndInsertIfThen(CheckTerm, Cmp2); 380 } 381 382 IRBuilder<> IRB1(CheckTerm); 383 Instruction *Crash = generateCrashCode(IRB1, AddrLong, IsWrite, TypeSize); 384 Crash->setDebugLoc(OrigIns->getDebugLoc()); 385 ReplaceInstWithInst(CheckTerm, new UnreachableInst(*C)); 386} 387 388// This function replaces all global variables with new variables that have 389// trailing redzones. It also creates a function that poisons 390// redzones and inserts this function into llvm.global_ctors. 391bool AddressSanitizer::insertGlobalRedzones(Module &M) { 392 SmallVector<GlobalVariable *, 16> GlobalsToChange; 393 394 for (Module::GlobalListType::iterator G = M.getGlobalList().begin(), 395 E = M.getGlobalList().end(); G != E; ++G) { 396 Type *Ty = cast<PointerType>(G->getType())->getElementType(); 397 DEBUG(dbgs() << "GLOBAL: " << *G); 398 399 if (!Ty->isSized()) continue; 400 if (!G->hasInitializer()) continue; 401 // Touch only those globals that will not be defined in other modules. 402 // Don't handle ODR type linkages since other modules may be built w/o asan. 403 if (G->getLinkage() != GlobalVariable::ExternalLinkage && 404 G->getLinkage() != GlobalVariable::PrivateLinkage && 405 G->getLinkage() != GlobalVariable::InternalLinkage) 406 continue; 407 // Two problems with thread-locals: 408 // - The address of the main thread's copy can't be computed at link-time. 409 // - Need to poison all copies, not just the main thread's one. 410 if (G->isThreadLocal()) 411 continue; 412 // For now, just ignore this Alloca if the alignment is large. 413 if (G->getAlignment() > RedzoneSize) continue; 414 415 // Ignore all the globals with the names starting with "\01L_OBJC_". 416 // Many of those are put into the .cstring section. The linker compresses 417 // that section by removing the spare \0s after the string terminator, so 418 // our redzones get broken. 419 if ((G->getName().find("\01L_OBJC_") == 0) || 420 (G->getName().find("\01l_OBJC_") == 0)) { 421 DEBUG(dbgs() << "Ignoring \\01L_OBJC_* global: " << *G); 422 continue; 423 } 424 425 if (G->hasSection()) { 426 StringRef Section(G->getSection()); 427 // Ignore the globals from the __OBJC section. The ObjC runtime assumes 428 // those conform to /usr/lib/objc/runtime.h, so we can't add redzones to 429 // them. 430 if ((Section.find("__OBJC,") == 0) || 431 (Section.find("__DATA, __objc_") == 0)) { 432 DEBUG(dbgs() << "Ignoring ObjC runtime global: " << *G); 433 continue; 434 } 435 // See http://code.google.com/p/address-sanitizer/issues/detail?id=32 436 // Constant CFString instances are compiled in the following way: 437 // -- the string buffer is emitted into 438 // __TEXT,__cstring,cstring_literals 439 // -- the constant NSConstantString structure referencing that buffer 440 // is placed into __DATA,__cfstring 441 // Therefore there's no point in placing redzones into __DATA,__cfstring. 442 // Moreover, it causes the linker to crash on OS X 10.7 443 if (Section.find("__DATA,__cfstring") == 0) { 444 DEBUG(dbgs() << "Ignoring CFString: " << *G); 445 continue; 446 } 447 } 448 449 GlobalsToChange.push_back(G); 450 } 451 452 size_t n = GlobalsToChange.size(); 453 if (n == 0) return false; 454 455 // A global is described by a structure 456 // size_t beg; 457 // size_t size; 458 // size_t size_with_redzone; 459 // const char *name; 460 // We initialize an array of such structures and pass it to a run-time call. 461 StructType *GlobalStructTy = StructType::get(IntptrTy, IntptrTy, 462 IntptrTy, IntptrTy, NULL); 463 SmallVector<Constant *, 16> Initializers(n); 464 465 IRBuilder<> IRB(CtorInsertBefore); 466 467 for (size_t i = 0; i < n; i++) { 468 GlobalVariable *G = GlobalsToChange[i]; 469 PointerType *PtrTy = cast<PointerType>(G->getType()); 470 Type *Ty = PtrTy->getElementType(); 471 uint64_t SizeInBytes = TD->getTypeStoreSizeInBits(Ty) / 8; 472 uint64_t RightRedzoneSize = RedzoneSize + 473 (RedzoneSize - (SizeInBytes % RedzoneSize)); 474 Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); 475 476 StructType *NewTy = StructType::get(Ty, RightRedZoneTy, NULL); 477 Constant *NewInitializer = ConstantStruct::get( 478 NewTy, G->getInitializer(), 479 Constant::getNullValue(RightRedZoneTy), NULL); 480 481 SmallString<2048> DescriptionOfGlobal = G->getName(); 482 DescriptionOfGlobal += " ("; 483 DescriptionOfGlobal += M.getModuleIdentifier(); 484 DescriptionOfGlobal += ")"; 485 GlobalVariable *Name = createPrivateGlobalForString(M, DescriptionOfGlobal); 486 487 // Create a new global variable with enough space for a redzone. 488 GlobalVariable *NewGlobal = new GlobalVariable( 489 M, NewTy, G->isConstant(), G->getLinkage(), 490 NewInitializer, "", G, G->isThreadLocal()); 491 NewGlobal->copyAttributesFrom(G); 492 NewGlobal->setAlignment(RedzoneSize); 493 494 Value *Indices2[2]; 495 Indices2[0] = IRB.getInt32(0); 496 Indices2[1] = IRB.getInt32(0); 497 498 G->replaceAllUsesWith( 499 ConstantExpr::getGetElementPtr(NewGlobal, Indices2, true)); 500 NewGlobal->takeName(G); 501 G->eraseFromParent(); 502 503 Initializers[i] = ConstantStruct::get( 504 GlobalStructTy, 505 ConstantExpr::getPointerCast(NewGlobal, IntptrTy), 506 ConstantInt::get(IntptrTy, SizeInBytes), 507 ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), 508 ConstantExpr::getPointerCast(Name, IntptrTy), 509 NULL); 510 DEBUG(dbgs() << "NEW GLOBAL:\n" << *NewGlobal); 511 } 512 513 ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); 514 GlobalVariable *AllGlobals = new GlobalVariable( 515 M, ArrayOfGlobalStructTy, false, GlobalVariable::PrivateLinkage, 516 ConstantArray::get(ArrayOfGlobalStructTy, Initializers), ""); 517 518 Function *AsanRegisterGlobals = cast<Function>(M.getOrInsertFunction( 519 kAsanRegisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 520 AsanRegisterGlobals->setLinkage(Function::ExternalLinkage); 521 522 IRB.CreateCall2(AsanRegisterGlobals, 523 IRB.CreatePointerCast(AllGlobals, IntptrTy), 524 ConstantInt::get(IntptrTy, n)); 525 526 // We also need to unregister globals at the end, e.g. when a shared library 527 // gets closed. 528 Function *AsanDtorFunction = Function::Create( 529 FunctionType::get(Type::getVoidTy(*C), false), 530 GlobalValue::InternalLinkage, kAsanModuleDtorName, &M); 531 BasicBlock *AsanDtorBB = BasicBlock::Create(*C, "", AsanDtorFunction); 532 IRBuilder<> IRB_Dtor(ReturnInst::Create(*C, AsanDtorBB)); 533 Function *AsanUnregisterGlobals = cast<Function>(M.getOrInsertFunction( 534 kAsanUnregisterGlobalsName, IRB.getVoidTy(), IntptrTy, IntptrTy, NULL)); 535 AsanUnregisterGlobals->setLinkage(Function::ExternalLinkage); 536 537 IRB_Dtor.CreateCall2(AsanUnregisterGlobals, 538 IRB.CreatePointerCast(AllGlobals, IntptrTy), 539 ConstantInt::get(IntptrTy, n)); 540 appendToGlobalDtors(M, AsanDtorFunction, kAsanCtorAndCtorPriority); 541 542 DEBUG(dbgs() << M); 543 return true; 544} 545 546// virtual 547bool AddressSanitizer::runOnModule(Module &M) { 548 // Initialize the private fields. No one has accessed them before. 549 TD = getAnalysisIfAvailable<TargetData>(); 550 if (!TD) 551 return false; 552 BL.reset(new BlackList(ClBlackListFile)); 553 554 CurrentModule = &M; 555 C = &(M.getContext()); 556 LongSize = TD->getPointerSizeInBits(); 557 IntptrTy = Type::getIntNTy(*C, LongSize); 558 IntptrPtrTy = PointerType::get(IntptrTy, 0); 559 560 AsanCtorFunction = Function::Create( 561 FunctionType::get(Type::getVoidTy(*C), false), 562 GlobalValue::InternalLinkage, kAsanModuleCtorName, &M); 563 BasicBlock *AsanCtorBB = BasicBlock::Create(*C, "", AsanCtorFunction); 564 CtorInsertBefore = ReturnInst::Create(*C, AsanCtorBB); 565 566 // call __asan_init in the module ctor. 567 IRBuilder<> IRB(CtorInsertBefore); 568 AsanInitFunction = cast<Function>( 569 M.getOrInsertFunction(kAsanInitName, IRB.getVoidTy(), NULL)); 570 AsanInitFunction->setLinkage(Function::ExternalLinkage); 571 IRB.CreateCall(AsanInitFunction); 572 573 MappingOffset = LongSize == 32 574 ? kDefaultShadowOffset32 : kDefaultShadowOffset64; 575 if (ClMappingOffsetLog >= 0) { 576 if (ClMappingOffsetLog == 0) { 577 // special case 578 MappingOffset = 0; 579 } else { 580 MappingOffset = 1ULL << ClMappingOffsetLog; 581 } 582 } 583 MappingScale = kDefaultShadowScale; 584 if (ClMappingScale) { 585 MappingScale = ClMappingScale; 586 } 587 // Redzone used for stack and globals is at least 32 bytes. 588 // For scales 6 and 7, the redzone has to be 64 and 128 bytes respectively. 589 RedzoneSize = std::max(32, (int)(1 << MappingScale)); 590 591 bool Res = false; 592 593 if (ClGlobals) 594 Res |= insertGlobalRedzones(M); 595 596 // Tell the run-time the current values of mapping offset and scale. 597 GlobalValue *asan_mapping_offset = 598 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 599 ConstantInt::get(IntptrTy, MappingOffset), 600 kAsanMappingOffsetName); 601 GlobalValue *asan_mapping_scale = 602 new GlobalVariable(M, IntptrTy, true, GlobalValue::LinkOnceODRLinkage, 603 ConstantInt::get(IntptrTy, MappingScale), 604 kAsanMappingScaleName); 605 // Read these globals, otherwise they may be optimized away. 606 IRB.CreateLoad(asan_mapping_scale, true); 607 IRB.CreateLoad(asan_mapping_offset, true); 608 609 610 for (Module::iterator F = M.begin(), E = M.end(); F != E; ++F) { 611 if (F->isDeclaration()) continue; 612 Res |= handleFunction(M, *F); 613 } 614 615 appendToGlobalCtors(M, AsanCtorFunction, kAsanCtorAndCtorPriority); 616 617 return Res; 618} 619 620bool AddressSanitizer::handleFunction(Module &M, Function &F) { 621 if (BL->isIn(F)) return false; 622 if (&F == AsanCtorFunction) return false; 623 if (!F.hasFnAttr(Attribute::AddressSafety)) return false; 624 625 if (!ClDebugFunc.empty() && ClDebugFunc != F.getName()) 626 return false; 627 // We want to instrument every address only once per basic block 628 // (unless there are calls between uses). 629 SmallSet<Value*, 16> TempsToInstrument; 630 SmallVector<Instruction*, 16> ToInstrument; 631 632 // Fill the set of memory operations to instrument. 633 for (Function::iterator FI = F.begin(), FE = F.end(); 634 FI != FE; ++FI) { 635 TempsToInstrument.clear(); 636 for (BasicBlock::iterator BI = FI->begin(), BE = FI->end(); 637 BI != BE; ++BI) { 638 if (LooksLikeCodeInBug11395(BI)) return false; 639 if ((isa<LoadInst>(BI) && ClInstrumentReads) || 640 (isa<StoreInst>(BI) && ClInstrumentWrites)) { 641 Value *Addr = getLDSTOperand(BI); 642 if (ClOpt && ClOptSameTemp) { 643 if (!TempsToInstrument.insert(Addr)) 644 continue; // We've seen this temp in the current BB. 645 } 646 } else if (isa<MemIntrinsic>(BI) && ClMemIntrin) { 647 // ok, take it. 648 } else { 649 if (isa<CallInst>(BI)) { 650 // A call inside BB. 651 TempsToInstrument.clear(); 652 } 653 continue; 654 } 655 ToInstrument.push_back(BI); 656 } 657 } 658 659 // Instrument. 660 int NumInstrumented = 0; 661 for (size_t i = 0, n = ToInstrument.size(); i != n; i++) { 662 Instruction *Inst = ToInstrument[i]; 663 if (ClDebugMin < 0 || ClDebugMax < 0 || 664 (NumInstrumented >= ClDebugMin && NumInstrumented <= ClDebugMax)) { 665 if (isa<StoreInst>(Inst) || isa<LoadInst>(Inst)) 666 instrumentMop(Inst); 667 else 668 instrumentMemIntrinsic(cast<MemIntrinsic>(Inst)); 669 } 670 NumInstrumented++; 671 } 672 673 DEBUG(dbgs() << F); 674 675 bool ChangedStack = poisonStackInFunction(M, F); 676 677 // For each NSObject descendant having a +load method, this method is invoked 678 // by the ObjC runtime before any of the static constructors is called. 679 // Therefore we need to instrument such methods with a call to __asan_init 680 // at the beginning in order to initialize our runtime before any access to 681 // the shadow memory. 682 // We cannot just ignore these methods, because they may call other 683 // instrumented functions. 684 if (F.getName().find(" load]") != std::string::npos) { 685 IRBuilder<> IRB(F.begin()->begin()); 686 IRB.CreateCall(AsanInitFunction); 687 } 688 689 return NumInstrumented > 0 || ChangedStack; 690} 691 692static uint64_t ValueForPoison(uint64_t PoisonByte, size_t ShadowRedzoneSize) { 693 if (ShadowRedzoneSize == 1) return PoisonByte; 694 if (ShadowRedzoneSize == 2) return (PoisonByte << 8) + PoisonByte; 695 if (ShadowRedzoneSize == 4) 696 return (PoisonByte << 24) + (PoisonByte << 16) + 697 (PoisonByte << 8) + (PoisonByte); 698 assert(0 && "ShadowRedzoneSize is either 1, 2 or 4"); 699 return 0; 700} 701 702static void PoisonShadowPartialRightRedzone(uint8_t *Shadow, 703 size_t Size, 704 size_t RedzoneSize, 705 size_t ShadowGranularity, 706 uint8_t Magic) { 707 for (size_t i = 0; i < RedzoneSize; 708 i+= ShadowGranularity, Shadow++) { 709 if (i + ShadowGranularity <= Size) { 710 *Shadow = 0; // fully addressable 711 } else if (i >= Size) { 712 *Shadow = Magic; // unaddressable 713 } else { 714 *Shadow = Size - i; // first Size-i bytes are addressable 715 } 716 } 717} 718 719void AddressSanitizer::PoisonStack(const ArrayRef<AllocaInst*> &AllocaVec, 720 IRBuilder<> IRB, 721 Value *ShadowBase, bool DoPoison) { 722 size_t ShadowRZSize = RedzoneSize >> MappingScale; 723 assert(ShadowRZSize >= 1 && ShadowRZSize <= 4); 724 Type *RZTy = Type::getIntNTy(*C, ShadowRZSize * 8); 725 Type *RZPtrTy = PointerType::get(RZTy, 0); 726 727 Value *PoisonLeft = ConstantInt::get(RZTy, 728 ValueForPoison(DoPoison ? kAsanStackLeftRedzoneMagic : 0LL, ShadowRZSize)); 729 Value *PoisonMid = ConstantInt::get(RZTy, 730 ValueForPoison(DoPoison ? kAsanStackMidRedzoneMagic : 0LL, ShadowRZSize)); 731 Value *PoisonRight = ConstantInt::get(RZTy, 732 ValueForPoison(DoPoison ? kAsanStackRightRedzoneMagic : 0LL, ShadowRZSize)); 733 734 // poison the first red zone. 735 IRB.CreateStore(PoisonLeft, IRB.CreateIntToPtr(ShadowBase, RZPtrTy)); 736 737 // poison all other red zones. 738 uint64_t Pos = RedzoneSize; 739 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 740 AllocaInst *AI = AllocaVec[i]; 741 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 742 uint64_t AlignedSize = getAlignedAllocaSize(AI); 743 assert(AlignedSize - SizeInBytes < RedzoneSize); 744 Value *Ptr = NULL; 745 746 Pos += AlignedSize; 747 748 assert(ShadowBase->getType() == IntptrTy); 749 if (SizeInBytes < AlignedSize) { 750 // Poison the partial redzone at right 751 Ptr = IRB.CreateAdd( 752 ShadowBase, ConstantInt::get(IntptrTy, 753 (Pos >> MappingScale) - ShadowRZSize)); 754 size_t AddressableBytes = RedzoneSize - (AlignedSize - SizeInBytes); 755 uint32_t Poison = 0; 756 if (DoPoison) { 757 PoisonShadowPartialRightRedzone((uint8_t*)&Poison, AddressableBytes, 758 RedzoneSize, 759 1ULL << MappingScale, 760 kAsanStackPartialRedzoneMagic); 761 } 762 Value *PartialPoison = ConstantInt::get(RZTy, Poison); 763 IRB.CreateStore(PartialPoison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 764 } 765 766 // Poison the full redzone at right. 767 Ptr = IRB.CreateAdd(ShadowBase, 768 ConstantInt::get(IntptrTy, Pos >> MappingScale)); 769 Value *Poison = i == AllocaVec.size() - 1 ? PoisonRight : PoisonMid; 770 IRB.CreateStore(Poison, IRB.CreateIntToPtr(Ptr, RZPtrTy)); 771 772 Pos += RedzoneSize; 773 } 774} 775 776// Workaround for bug 11395: we don't want to instrument stack in functions 777// with large assembly blobs (32-bit only), otherwise reg alloc may crash. 778// FIXME: remove once the bug 11395 is fixed. 779bool AddressSanitizer::LooksLikeCodeInBug11395(Instruction *I) { 780 if (LongSize != 32) return false; 781 CallInst *CI = dyn_cast<CallInst>(I); 782 if (!CI || !CI->isInlineAsm()) return false; 783 if (CI->getNumArgOperands() <= 5) return false; 784 // We have inline assembly with quite a few arguments. 785 return true; 786} 787 788// Find all static Alloca instructions and put 789// poisoned red zones around all of them. 790// Then unpoison everything back before the function returns. 791// 792// Stack poisoning does not play well with exception handling. 793// When an exception is thrown, we essentially bypass the code 794// that unpoisones the stack. This is why the run-time library has 795// to intercept __cxa_throw (as well as longjmp, etc) and unpoison the entire 796// stack in the interceptor. This however does not work inside the 797// actual function which catches the exception. Most likely because the 798// compiler hoists the load of the shadow value somewhere too high. 799// This causes asan to report a non-existing bug on 453.povray. 800// It sounds like an LLVM bug. 801bool AddressSanitizer::poisonStackInFunction(Module &M, Function &F) { 802 if (!ClStack) return false; 803 SmallVector<AllocaInst*, 16> AllocaVec; 804 SmallVector<Instruction*, 8> RetVec; 805 uint64_t TotalSize = 0; 806 807 // Filter out Alloca instructions we want (and can) handle. 808 // Collect Ret instructions. 809 for (Function::iterator FI = F.begin(), FE = F.end(); 810 FI != FE; ++FI) { 811 BasicBlock &BB = *FI; 812 for (BasicBlock::iterator BI = BB.begin(), BE = BB.end(); 813 BI != BE; ++BI) { 814 if (isa<ReturnInst>(BI)) { 815 RetVec.push_back(BI); 816 continue; 817 } 818 819 AllocaInst *AI = dyn_cast<AllocaInst>(BI); 820 if (!AI) continue; 821 if (AI->isArrayAllocation()) continue; 822 if (!AI->isStaticAlloca()) continue; 823 if (!AI->getAllocatedType()->isSized()) continue; 824 if (AI->getAlignment() > RedzoneSize) continue; 825 AllocaVec.push_back(AI); 826 uint64_t AlignedSize = getAlignedAllocaSize(AI); 827 TotalSize += AlignedSize; 828 } 829 } 830 831 if (AllocaVec.empty()) return false; 832 833 uint64_t LocalStackSize = TotalSize + (AllocaVec.size() + 1) * RedzoneSize; 834 835 bool DoStackMalloc = ClUseAfterReturn 836 && LocalStackSize <= kMaxStackMallocSize; 837 838 Instruction *InsBefore = AllocaVec[0]; 839 IRBuilder<> IRB(InsBefore); 840 841 842 Type *ByteArrayTy = ArrayType::get(IRB.getInt8Ty(), LocalStackSize); 843 AllocaInst *MyAlloca = 844 new AllocaInst(ByteArrayTy, "MyAlloca", InsBefore); 845 MyAlloca->setAlignment(RedzoneSize); 846 assert(MyAlloca->isStaticAlloca()); 847 Value *OrigStackBase = IRB.CreatePointerCast(MyAlloca, IntptrTy); 848 Value *LocalStackBase = OrigStackBase; 849 850 if (DoStackMalloc) { 851 Value *AsanStackMallocFunc = M.getOrInsertFunction( 852 kAsanStackMallocName, IntptrTy, IntptrTy, IntptrTy, NULL); 853 LocalStackBase = IRB.CreateCall2(AsanStackMallocFunc, 854 ConstantInt::get(IntptrTy, LocalStackSize), OrigStackBase); 855 } 856 857 // This string will be parsed by the run-time (DescribeStackAddress). 858 SmallString<2048> StackDescriptionStorage; 859 raw_svector_ostream StackDescription(StackDescriptionStorage); 860 StackDescription << F.getName() << " " << AllocaVec.size() << " "; 861 862 uint64_t Pos = RedzoneSize; 863 // Replace Alloca instructions with base+offset. 864 for (size_t i = 0, n = AllocaVec.size(); i < n; i++) { 865 AllocaInst *AI = AllocaVec[i]; 866 uint64_t SizeInBytes = getAllocaSizeInBytes(AI); 867 StringRef Name = AI->getName(); 868 StackDescription << Pos << " " << SizeInBytes << " " 869 << Name.size() << " " << Name << " "; 870 uint64_t AlignedSize = getAlignedAllocaSize(AI); 871 assert((AlignedSize % RedzoneSize) == 0); 872 AI->replaceAllUsesWith( 873 IRB.CreateIntToPtr( 874 IRB.CreateAdd(LocalStackBase, ConstantInt::get(IntptrTy, Pos)), 875 AI->getType())); 876 Pos += AlignedSize + RedzoneSize; 877 } 878 assert(Pos == LocalStackSize); 879 880 // Write the Magic value and the frame description constant to the redzone. 881 Value *BasePlus0 = IRB.CreateIntToPtr(LocalStackBase, IntptrPtrTy); 882 IRB.CreateStore(ConstantInt::get(IntptrTy, kCurrentStackFrameMagic), 883 BasePlus0); 884 Value *BasePlus1 = IRB.CreateAdd(LocalStackBase, 885 ConstantInt::get(IntptrTy, LongSize/8)); 886 BasePlus1 = IRB.CreateIntToPtr(BasePlus1, IntptrPtrTy); 887 Value *Description = IRB.CreatePointerCast( 888 createPrivateGlobalForString(M, StackDescription.str()), 889 IntptrTy); 890 IRB.CreateStore(Description, BasePlus1); 891 892 // Poison the stack redzones at the entry. 893 Value *ShadowBase = memToShadow(LocalStackBase, IRB); 894 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRB, ShadowBase, true); 895 896 Value *AsanStackFreeFunc = NULL; 897 if (DoStackMalloc) { 898 AsanStackFreeFunc = M.getOrInsertFunction( 899 kAsanStackFreeName, IRB.getVoidTy(), 900 IntptrTy, IntptrTy, IntptrTy, NULL); 901 } 902 903 // Unpoison the stack before all ret instructions. 904 for (size_t i = 0, n = RetVec.size(); i < n; i++) { 905 Instruction *Ret = RetVec[i]; 906 IRBuilder<> IRBRet(Ret); 907 908 // Mark the current frame as retired. 909 IRBRet.CreateStore(ConstantInt::get(IntptrTy, kRetiredStackFrameMagic), 910 BasePlus0); 911 // Unpoison the stack. 912 PoisonStack(ArrayRef<AllocaInst*>(AllocaVec), IRBRet, ShadowBase, false); 913 914 if (DoStackMalloc) { 915 IRBRet.CreateCall3(AsanStackFreeFunc, LocalStackBase, 916 ConstantInt::get(IntptrTy, LocalStackSize), 917 OrigStackBase); 918 } 919 } 920 921 if (ClDebugStack) { 922 DEBUG(dbgs() << F); 923 } 924 925 return true; 926} 927 928BlackList::BlackList(const std::string &Path) { 929 Functions = NULL; 930 const char *kFunPrefix = "fun:"; 931 if (!ClBlackListFile.size()) return; 932 std::string Fun; 933 934 OwningPtr<MemoryBuffer> File; 935 if (error_code EC = MemoryBuffer::getFile(ClBlackListFile.c_str(), File)) { 936 report_fatal_error("Can't open blacklist file " + ClBlackListFile + ": " + 937 EC.message()); 938 } 939 MemoryBuffer *Buff = File.take(); 940 const char *Data = Buff->getBufferStart(); 941 size_t DataLen = Buff->getBufferSize(); 942 SmallVector<StringRef, 16> Lines; 943 SplitString(StringRef(Data, DataLen), Lines, "\n\r"); 944 for (size_t i = 0, numLines = Lines.size(); i < numLines; i++) { 945 if (Lines[i].startswith(kFunPrefix)) { 946 std::string ThisFunc = Lines[i].substr(strlen(kFunPrefix)); 947 std::string ThisFuncRE; 948 // add ThisFunc replacing * with .* 949 for (size_t j = 0, n = ThisFunc.size(); j < n; j++) { 950 if (ThisFunc[j] == '*') 951 ThisFuncRE += '.'; 952 ThisFuncRE += ThisFunc[j]; 953 } 954 // Check that the regexp is valid. 955 Regex CheckRE(ThisFuncRE); 956 std::string Error; 957 if (!CheckRE.isValid(Error)) 958 report_fatal_error("malformed blacklist regex: " + ThisFunc + 959 ": " + Error); 960 // Append to the final regexp. 961 if (Fun.size()) 962 Fun += "|"; 963 Fun += ThisFuncRE; 964 } 965 } 966 if (Fun.size()) { 967 Functions = new Regex(Fun); 968 } 969} 970 971bool BlackList::isIn(const Function &F) { 972 if (Functions) { 973 bool Res = Functions->match(F.getName()); 974 return Res; 975 } 976 return false; 977} 978